The tweets I gathered are those I “liked” throughout the year. They hit on threat intelligence concepts, best practices, gripes, and some other commentary on the information security industry more broadly. (And there are a few that just made me laugh.) I generally omitted tweets with links to blog posts or videos, favoring those that capture threat intelligence insights in 140 characters or less.

Many of these tweets are from longer conversations that are rich and thought provoking. Although I snagged the tweets that I thought best captured the gist of these conversations, I encourage you to read the full threads.

Open sources provide a wealth of valuable intelligence and, often times, network- and host-based indicators to enable detection and further investigation.

I’m interested in indicators from an investigative perspective. What overlaps or “centers of gravity” can we uncover? Do any of these provide other collection opportunities (e.g., tracking a particular domain registrant) or detection opportunities (e.g., a small netblock hosting dedicated C2 infrastructure)?

My investigative process around information culled from open sources used to be manual. Copying and pasting, one-by-one, indicators from blog posts into TXT and / or CSV documents. Querying indicators against various external or internal datasets. That process is neither efficient nor fun.

Fortunately, the availability and quality of open source threat intelligence tools have grown in-kind with the quality and quantity of the open source information. Exclusively using free tools, analysts can all but bypass manual processing and dive strait into their investigation within only or a minute or two.

Even though ransomware is one of the threats du-jour, it’s not something I’ve closely studied. So I decided that this weekend was as good a time as any to conduct some research and develop a better understanding of this threat.

I wish I could say I identified novel features of what I discovered were large, multi-wave ransomware campaigns between May and August. But that didn’t happen. The reality is pretty mundane: I pulled together existing research and documented—in my own words—what others have already reported.

As an analyst, I’m okay with that. I’ve found this type of research to be typical. And it brings up thoughts (and tips!) I have on intelligence consumption. But more on those soon… First, let’s look at the recent ransomware activity.

BLUF: As intelligence analysts, our customers demand that we know a lot about a lot. However, research from Chris Sanders shows that humans’ working memories are very limited; we can only juggles small volumes of information at once. Even long-term memory can be stressed by the volume of knowledge that analysts must maintain. These cognitive limitations highlight the fundamental importance of capturing knowledge in written reports. If no one writes it down, does the knowledge really exist? Playing on the expression “PCAP, or it didn’t happen,” I offer the expression “write it, or it didn’t happen.”

BLUF: I’m starting to find the sweet spot for threat_note in my at-home research workflow. By taking advantage of threat_note’s VirusTotal integration, I was able to discover some new infrastructure associated with the the activity I documented in my August 8 post on Poison Ivy.

BLUF: The “Italian Connection” report from The Shadowserver Foundation is exemplary for its adherence to solid analytic tradecraft. The tradecraft is evident in the authors’ writing style, transparent methodologies, and use of structured analytic techniques. As analysts, we can learn from this report by similarly following the analytic standards that it demonstrates.

The malware was created in September 2014 and uploaded to Virus Total in January 2015. It uses the dynamic DNS-provided C2 getstrings[.]jumpingcrab[.]com. This domain has resolved to at least 3 IP addresses: 210.121.164.186, 27.255.71.200, and 27.255.94.224.

I identified several decoy documents (see Maltego graph) that deliver the PlugX malware and call-out to one of two IP addresses mentioned above. These documents were reportedly used in a campaign identified by SOPHOS that spanned from September 2014 to February 2015. India was one target of the campaign.

Given the infrastructure and timing overlaps, the Poison Ivy sample discussed in this post was likely just one payload involved in a broader campaign targeting India, the Tibetan community, and others, that spanned from approximately September 2014 to February 2015.

The Poison Ivy sample in this case thus appears to be tied to attacks by one or more adversaries acting on behalf of Chinese interests.

BLUF: There are too many threats, and not enough time. Analysts must therefore prioritize their time on threats that are relevant to their organizations — they must be deliberate about targeting, the process of identifying and focusing on the threats that matter. While many analysts intuitively know what are and are not relevant threats, it’s still helpful to have a simple model to guide such targeting and serve as a repeatable and transparent methodology. Models presented in both a Carnegie Mellon report (page 8) and a talk from Rick Holland (slide 23) can be adapted as simple frameworks to aid in Cyber Threat Targeting.